In this blog post, I will show you how to deobfuscated a ConfuserEx protected .NET application.
Unfortunately, there is a lot of videos on YouTube about how to deobfuscate such programs but these videos are so complicated and the instructions are either convoluted or do not yield a good result.
Open the program with dnSpy (or drag and drop it):
At first inspection, we can tell there’s obfuscation due to the name of the entrypoint at line 4 (being so cryptic). Additionally, if you click on the “ConfusedTest.exe” node, you will see more attributes and the obfuscator name (ConfuserEx v1.0.0-4-g3fd0d55):
Today I release the first Alpha version of Ganxo (pronounced as “Gun Show” or “Gan Chou”), an open source API hooking framework. In Catalan, Ganxo means “hook”, thus the framework’s name.
Writing an API hooking framework was always on my to do list. I started developing Ganxo back in April 2016 and after two weeks of development during my free time, I got busy with other things and abandoned my efforts.
My initial goals were to accomplish the following before going public with it:
Support x86 and x64 hooking
Write a more extensive test suite
Fully document it
This past weekend, I decided to release Ganxo even though I have not met all my goals. As of today, Ganxo works on MS Windows and supports x86 API hooking. The groundwork is laid down and it should be easy to add x64 bits hooking support on Windows or even just port it to other operating systems.
Feel free to clone the code from here and start using it today.
Stay tuned, I plan more features in the coming future!
Do you want to master Batch Files programming? Look no further, the Batchography is the right book for you.
Available in print or e-book editions from Amazon.
In this article, I am going to list half a dozen DLL injection techniques that can be used by a user mode process running on MS Windows. There could be more techniques but I am sharing with you the techniques that I had first hand experience with.
1. AppInit_DLLs
People used to rely on the AppInit_DLLs registry key. The OS loader queries this value and loads the DLLs specified there when a process is created. I have not used this technique in a long while (last time I used it was on Windows XP) and I heard it is now restricted or discontinued because it was widely used by malware.
2. SetWindowsHookEx API
The SetWindowsHookEx API installs an application-defined hook procedure into a given hook chain. There are various supported hook chains (CBT, Journal, Window messages, keyboard, mouse, etc).
When using the SetWindowsHookEx API, you are instructing the operating system to inject your custom hook DLL into other process where it is relevant. The Windows hooks work when the other processes import / use functionality from USER32.dll.
Hiew+ is based on the FsPlus project. FsPlus is an implementation of an idea that allows you to access non disk files as if they were disk files. Hiew+ is a real life example of FsPlus where we take Hiew (an excellent hex editor) and turn it into an excellent process editor. Each process will be viewed as a file with a size as much as SYSTEM_INFO.lpMaximumApplicationAddress returns. In theory FsPlus should work with any hex editor to provide process memory editing, but this release is just Hiew ready.
Usage
To use FsPlus, you need to inject FsPlus.dll into Hiew’s process memory so that the APIs are hooked. After APIs are hooked, FsPlus will recognize and treat in a different manner any file name that has the following form: “pid|1234” where 1234 is a given PID. To make the usage even simpler, I provid a small GUI (FsPlusGui) to allow you launch Hiew conveniently.
In fact, Hiew+ can be considered as a nice addition to your reverse engineering tools arsenal (IDA Pro‘s debugger or any other debugger, etc.).
Here’s a screenshot of the FsPlusGui:
You will need to double click on a process to have Hiew or the desired process launched with FsPlus support.
Make sure you specify the settings correctly in FsPlus.ini:
After you run it successfully, you will be able to start editing processes as if you were editing files. The catch is every process virtual address is now a physical offset in Hiew.
Modules as IMAGE_SECTION_HEADERs
For your convenience we have created additional IMAGE_SECTION_HEADER structures in the PE header of the main process, so that each loaded module is view as a PE section:
Textual information about process’ modules
In addition to viewing modules as PE sections, you will have an actual representation of all loaded modules just after the end of the PE header:
Do you want to master Batch Files programming? Look no further, the Batchography is the right book for you.
Available in print or e-book editions from Amazon.
No Read Errors
To avoid reading errors and such, any unreadable memory page is filled with “BAD!” pattern.
Physical and Logical disk editing
This is not something added by FsPlus, rather it is a undocumented feature of Hiew32 where you can use Hiew to edit/view logical and physical disk sectors:
Conclusion
This tool has been tested with Windows Vista (32) and Windows XP SP2 and with Hiew 7.29.
Hope you find this tool useful as Hiew itself. Note: Please don’t contact me if you run into trouble. This tool is no longer supported.
In this blog post, I am going to share with you a recipe from the Batchography book that illustrates and explains in details how to embed executable files in the Batch file script and execute them after they are dropped.
This technique does not rely on using a polyglot Batch file where its first part is actually a Batch script and the other part is a VBS or JScript script. If you want to learn more about how to write polyglot Batch scripts, please refer to Chapter 4 in the Batchography book.
Get the book from Amazon: the print editionor the e-book edition
Security Reactions is a wonderful site that contains carefully selected animated GIF files that describe certain scenarios faced by security engineers and pentesters.
In the previous article, I showed you how to capture traffic from WiFi devices. In this article, I will illustrate how to capture HTTP/HTTPS traffic using Fiddler.
In this blog post, I am going to show you how to record all inbound and outbound network traffic from a wireless device (smartphone, tablet, laptop, etc…).
People desire to capture traffic for many reasons, namely for/by: